F5 Networks BIG-IP : Insufficient validation of ICMP error messages (K23440942)

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from F5 Networks BIG-IP Solution K23440942.
#
# The text description of this plugin is (C) F5 Networks.
#

include("compat.inc");

if (description)
{
  script_id(100000);
  script_version("3.6");
  script_cvs_date("Date: 2019/05/09  9:52:02");

  script_cve_id("CVE-2004-0790", "CVE-2004-0791", "CVE-2004-1060", "CVE-2005-0065", "CVE-2005-0066", "CVE-2005-0067", "CVE-2005-0068");
  script_bugtraq_id(13124);

  script_name(english:"F5 Networks BIG-IP : Insufficient validation of ICMP error messages (K23440942)");
  script_summary(english:"Checks the BIG-IP version.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote device is missing a vendor-supplied security patch."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The vulnerability described in this article was initially fixed in
earlier versions, but a regression was reintroduced in BIG-IP 12.x
through13.x. For information about earlier versions, refer toK4583:
Insufficient validation of ICMP error messages - VU#222750 /
CVE-2004-0790(9.x - 10.x).

Multiple TCP/IP and ICMP implementations allow remote attackers to
cause a denial of service (reset TCP connections) via spoofed ICMP
error messages, aka the 'blind connection-reset attack.' NOTE:
CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based
on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and
CVE-2005-0068 are related identifiers that are SPLIT based on the
underlying vulnerability. While CVE normally SPLITs based on
vulnerability, the attack-based identifiers exist due to the variety
and number of affected implementations and solutions that address the
attacks instead of the underlying vulnerabilities. (CVE-2004-0790)

Impact

A remote attacker can interfere with the Path MTU Discovery process
and cause a performance degradation or reset of FastL4 accelerated TCP
connections by spoofing a specifically craftedInternet Control Message
Protocol (ICMP) message.

This vulnerability only applies to FastL4 virtual servers on BIG-IP
platforms with the embedded Packet Velocity Acceleration (ePVA)
chip.The ePVA chip is a hardware acceleration Field Programmable Gate
Array (FPGA) that delivers high-performance Layer 4 (L4) IPv4
throughput. ePVA chips are included on the following BIG-IP 
platforms :

B2100 Blade in the VIPRION C2400 or C2200 Chassis

B2150 Blade in the VIPRION C2400 or C2200 Chassis

B2250 Blade in the VIPRION C2400 or C2200 Chassis

B4300 Blade in the VIPRION C4480 or C4800 Chassis

B4340 Blade in the VIPRION C4480 or C4800 Chassis

BIG-IP 12000 series

BIG-IP 10000 series

BIG-IP 7000 series

BIG-IP 5000 series

BIG-IP i5000 series

BIG-IP i7000 series

BIG-IP i10000 series"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://support.f5.com/csp/article/K23440942"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://support.f5.com/csp/article/K4583"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade to one of the non-vulnerable versions listed in the F5
Solution K23440942."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_access_policy_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_advanced_firewall_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_acceleration_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_security_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_application_visibility_and_reporting");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_link_controller");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_local_traffic_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:f5:big-ip_policy_enforcement_manager");
  script_set_attribute(attribute:"cpe", value:"cpe:/h:f5:big-ip");

  script_set_attribute(attribute:"vuln_publication_date", value:"2004/04/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/05/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/08");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"F5 Networks Local Security Checks");

  script_dependencies("f5_bigip_detect.nbin");
  script_require_keys("Host/local_checks_enabled", "Host/BIG-IP/hotfix", "Host/BIG-IP/modules", "Host/BIG-IP/version", "Settings/ParanoidReport");

  exit(0);
}


include("f5_func.inc");

if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
version = get_kb_item("Host/BIG-IP/version");
if ( ! version ) audit(AUDIT_OS_NOT, "F5 Networks BIG-IP");
if ( isnull(get_kb_item("Host/BIG-IP/hotfix")) ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/hotfix");
if ( ! get_kb_item("Host/BIG-IP/modules") ) audit(AUDIT_KB_MISSING, "Host/BIG-IP/modules");

sol = "K23440942";
vmatrix = make_array();

if (report_paranoia < 2) audit(AUDIT_PARANOID);

# AFM
vmatrix["AFM"] = make_array();
vmatrix["AFM"]["affected"  ] = make_list("13.0.0","12.0.0-12.1.2");
vmatrix["AFM"]["unaffected"] = make_list("13.0.0HF1","12.1.2HF1","11.4.0-11.6.1");

# AM
vmatrix["AM"] = make_array();
vmatrix["AM"]["affected"  ] = make_list("13.0.0","12.0.0-12.1.2");
vmatrix["AM"]["unaffected"] = make_list("13.0.0HF1","12.1.2HF1","11.4.0-11.6.1");

# APM
vmatrix["APM"] = make_array();
vmatrix["APM"]["affected"  ] = make_list("13.0.0","12.0.0-12.1.2");
vmatrix["APM"]["unaffected"] = make_list("13.0.0HF1","12.1.2HF1","11.4.0-11.6.1");

# ASM
vmatrix["ASM"] = make_array();
vmatrix["ASM"]["affected"  ] = make_list("13.0.0","12.0.0-12.1.2");
vmatrix["ASM"]["unaffected"] = make_list("13.0.0HF1","12.1.2HF1","11.4.0-11.6.1");

# AVR
vmatrix["AVR"] = make_array();
vmatrix["AVR"]["affected"  ] = make_list("13.0.0","12.0.0-12.1.2");
vmatrix["AVR"]["unaffected"] = make_list("13.0.0HF1","12.1.2HF1","11.4.0-11.6.1");

# LC
vmatrix["LC"] = make_array();
vmatrix["LC"]["affected"  ] = make_list("13.0.0","12.0.0-12.1.2");
vmatrix["LC"]["unaffected"] = make_list("13.0.0HF1","12.1.2HF1","11.4.0-11.6.1");

# LTM
vmatrix["LTM"] = make_array();
vmatrix["LTM"]["affected"  ] = make_list("13.0.0","12.0.0-12.1.2");
vmatrix["LTM"]["unaffected"] = make_list("13.0.0HF1","12.1.2HF1","11.4.0-11.6.1");

# PEM
vmatrix["PEM"] = make_array();
vmatrix["PEM"]["affected"  ] = make_list("13.0.0","12.0.0-12.1.2");
vmatrix["PEM"]["unaffected"] = make_list("13.0.0HF1","12.1.2HF1","11.4.0-11.6.1");


if (bigip_is_affected(vmatrix:vmatrix, sol:sol))
{
  if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = bigip_get_tested_modules();
  audit_extra = "For BIG-IP module(s) " + tested + ",";
  if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);
  else audit(AUDIT_HOST_NOT, "running any of the affected modules");
}